Using python from a browser/security hole

Bengt Richter bokr at oz.net
Fri Apr 15 17:12:36 EDT 2005 

On Fri, 15 Apr 2005 09:52:41 -0400, James Carroll <mrmaple at gmail.com> wrote:

>I don't think Jython will help much here... you would have to embed
>jython in your applet which makes it big, which makes it take longer
>to download... (or you could install it ahead of time on each client.)
>
>I asked my friend who did some smartcard authentication at a previous
>job... and in his case the card had an LCD readout that gave a
>different key every minute, and the user had to look at that number,
>and type it in for access.   To automate this, with a card reader,
>there could be a (barcoder-scanner-like) app on each client that would
>emulate typing on the keyboard when the card was read.  The user would
>have to click on a text field, then scan their card and the number
>would show up automatically.  One step further... some javascript
>could possibly get the keyboard events as long as the page had input
>focus, and if it sees a smart-card key like sequence of keystrokes,
>then submit a form from a hidden IFrame....
>
>So, short of writing your own plug-in extension for each different
>browser, I'm not sure you're going to be able to access the client
>hardware from a client-side web page.  Either way (plug-in or java
>applet with privileges) your user will have to agree to give access to
>the hardware.
>
>-Jim
I wonder if anyone has written a safe proxy for this kind of purpose,
so that any browser would see just ordinary html at a particular url
but would then be viewing html either passed through from a particular
server or synthesized for for the local access part, which it could
do arbitrarily, depending on its user/privilege status.

[BTW, note reason why top-posts scramble things eventually. Please reconsider ;-)]

>
>On 4/15/05, Philippe C. Martin <philippe at philippecmartin.com> wrote:
>> Neil,
>>=20
>> Would Jpython let me do that ?
>> Would java let me call an external Python script - which in turn would
>> access my device ?
>>=20
>> Thanks
>>=20
>> Philippe
>>=20
>>=20
>> Neil Hodgson wrote:
>>=20
>> > Philippe:
>> >
>> >> Since I need to access a local/client device from the page and
>> >> that I wish to be cross-platform; does that mean Java is my only
>> >> way out ?
See comment above.

>> >
>> >    Java is designed to be safe and not allow access to client devices.
>> > There is a mechanism where you can attempt to ask for permission from
>> > Java but it looked complex to me and I doubt many browsers will
>> > cooperate. They have often locked security down to prevent this sort of
>> > access.
>> >
>> >    Neil
>>=20
>> --
>> http://mail.python.org/mailman/listinfo/python-list
>>=20
>>

Regards,
Bengt Richter

More information about the Python-list mailing list